Configuring the Client Machine

The following example instructions assume that you installed and configured
the Solaris host as described in the previous section.

You must configure a PAM client machine to locate the LDAP host with
a repository that the client will use to access (and effectively change) the
LDAP store. To configure the PAM client, use the Solaris ldapclient command,
which stores the client’s configuration information on the local host.

Note –

Be sure to make a back-up copy of the /etc/nsswitch.conf file
before you run the ldapclient command. Running ldapclient has several side effects— which includes completely replacing
the system’s /etc/nsswitch.conf file with a copy
of the content in /etc/nsswitch.ldap.

The following image illustrates an example ldapclient command:

Figure A–1 Example ldapclient Command

You should use an IP address for this configuration instead
of a DNS name, because a DNS
might not available when the PAM system needs it.

It is also important to use a proxy credential set to prevent
anonymous authenticators from manipulating data in the LDAP store.

The
system provides a set of proxy credentials you can use when manipulating
PAM data on the host LDAP store. (These proxy credentials match those created
when you used the idsconfig command to initialize the LDAP store.)

The generated configuration stores the proxy’s password
as an encrypted value, which is done for security purposes.

In
addition to generating the requisite LDAP contact information, running ldapclient replaces the contents of the /etc/nsswitch.conf file
with a copy of the contents found in /etc/nsswitch.ldap (the /etc/nsswitch.conf file you backed up earlier). Consequently, most
(or all) of the directives found in /etc/nsswitch.conf will
include the LDAP directive (which means the LDAP store
will be consulted when resolving the associated service request).

In this example, the resulting /etc/nsswitch.conf file
left on the system by the ldapclient command dropped the DNS directive from the list of used services
when resolving hosts. As the example LDAP store may not be populated with
the requisite host information needed to supplant DNS, the /etc/nsswitch.conf file is adjusted (which is the only change made to the post ldapclient command version of the /etc/nsswitch.conf file
in this example).

You should edit the host’s declaration to read as follows:

hosts: files ldap dns

Instead of the following reconfigured value (using ldapclient):

hosts: ldap [NOTFOUND=return] files

It is possible that this adjustment will not address your environment’s
needs correctly if you are running your DNS from the LDAP store. Be sure to
apply this change only if your environment’s context depends on it.
In addition, continue to compare and contrast the service directives with
the effective /etc/nsswitch.conf file to the pre-ldapclient variant to validate that all services are now being directed correctly.